cryptenroll: actually allow using multiple "special" strings when wiping

The systemd-cryptenroll man page states: Takes a comma separated list of numeric slot indexes, or the special strings ..., or any combination of these strings or numeric indexes, in which case all slots matching either are wiped. but we'd allow only one special string at any given time as the value was not ORed when assigning. So, for example, --wipe=recovery,password would actually become --wipe=password, etc.
2025-02-03 17:47:28 +03:00 · 2023-05-10 11:47:57 +02:00 · 2023-05-10 11:47:57 +02:00 · b0582f6b63
commit b0582f6b63
parent 885b5cabe2
2 changed files with 6 additions and 6 deletions
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -415,15 +415,15 @@ static int parse_argv(int argc, char *argv[]) {
                                        if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */
                                                arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE;
                                } else if (streq(slot, "password"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_PASSWORD;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_PASSWORD;
                                else if (streq(slot, "recovery"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_RECOVERY;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_RECOVERY;
                                else if (streq(slot, "pkcs11"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_PKCS11;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_PKCS11;
                                else if (streq(slot, "fido2"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_FIDO2;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_FIDO2;
                                else if (streq(slot, "tpm2"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_TPM2;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_TPM2;
                                else {
                                        int *a;

--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@ -258,7 +258,7 @@ systemd-cryptenroll "$img" | grep recovery
 cryptenroll_wipe_and_check "$img" --wipe=empty
 (! cryptenroll_wipe_and_check "$img" --wipe=empty)
 cryptenroll_wipe_and_check "$img" --wipe=empty,0
-cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery
+PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password
 systemd-cryptenroll "$img" | grep password
 (! systemd-cryptenroll "$img" | grep recovery)
 # We shouldn't be able to wipe all keyslots without enrolling a new key first